From 48b3d1af2fb43f119e0c011e2350728169c82acd Mon Sep 17 00:00:00 2001
From: Daniel Lenski <daniel.lenski@finalphasesystems.com>
Date: Sun, 12 Feb 2017 13:28:24 -0800
Subject: [PATCH 1/3] store generated cert for each flow

fixes #1935
---
 mitmproxy/connections.py        | 4 ++++
 mitmproxy/io_compat.py          | 1 +
 mitmproxy/proxy/protocol/tls.py | 2 ++
 mitmproxy/test/tflow.py         | 1 +
 4 files changed, 8 insertions(+)

diff --git a/mitmproxy/connections.py b/mitmproxy/connections.py
index a32889bd5..6d4d648f1 100644
--- a/mitmproxy/connections.py
+++ b/mitmproxy/connections.py
@@ -17,6 +17,7 @@ class ClientConnection(tcp.BaseHandler, stateobject.StateObject):
         address: Remote address
         ssl_established: True if TLS is established, False otherwise
         clientcert: The TLS client certificate
+        mitmcert: The MITM'ed TLS server certificate presented to the client
         timestamp_start: Connection start timestamp
         timestamp_ssl_setup: TLS established timestamp
         timestamp_end: Connection end timestamp
@@ -40,6 +41,7 @@ class ClientConnection(tcp.BaseHandler, stateobject.StateObject):
             self.clientcert = None
             self.ssl_established = None
 
+        self.mitmcert = None
         self.timestamp_start = time.time()
         self.timestamp_end = None
         self.timestamp_ssl_setup = None
@@ -72,6 +74,7 @@ class ClientConnection(tcp.BaseHandler, stateobject.StateObject):
         address=tcp.Address,
         ssl_established=bool,
         clientcert=certs.SSLCert,
+        mitmcert=certs.SSLCert,
         timestamp_start=float,
         timestamp_ssl_setup=float,
         timestamp_end=float,
@@ -98,6 +101,7 @@ class ClientConnection(tcp.BaseHandler, stateobject.StateObject):
         return cls.from_state(dict(
             address=dict(address=address, use_ipv6=False),
             clientcert=None,
+            mitmcert=None,
             ssl_established=False,
             timestamp_start=None,
             timestamp_end=None,
diff --git a/mitmproxy/io_compat.py b/mitmproxy/io_compat.py
index 8f89b86e9..d299b973a 100644
--- a/mitmproxy/io_compat.py
+++ b/mitmproxy/io_compat.py
@@ -88,6 +88,7 @@ def convert_019_100(data):
 
 def convert_100_200(data):
     data["version"] = (2, 0, 0)
+    data["client_conn"]["mitmcert"] = None
     return data
 
 
diff --git a/mitmproxy/proxy/protocol/tls.py b/mitmproxy/proxy/protocol/tls.py
index 08ce53d06..c174b0033 100644
--- a/mitmproxy/proxy/protocol/tls.py
+++ b/mitmproxy/proxy/protocol/tls.py
@@ -465,6 +465,8 @@ class TlsLayer(base.Layer):
         self.log("Establish TLS with client", "debug")
         cert, key, chain_file = self._find_cert()
 
+        self.client_conn.mitmcert = cert
+
         if self.config.options.add_upstream_certs_to_client_chain:
             extra_certs = self.server_conn.server_certs
         else:
diff --git a/mitmproxy/test/tflow.py b/mitmproxy/test/tflow.py
index 6d3308407..ea7be4b95 100644
--- a/mitmproxy/test/tflow.py
+++ b/mitmproxy/test/tflow.py
@@ -144,6 +144,7 @@ def tclient_conn():
     c = connections.ClientConnection.from_state(dict(
         address=dict(address=("address", 22), use_ipv6=True),
         clientcert=None,
+        mitmcert=None,
         ssl_established=False,
         timestamp_start=1,
         timestamp_ssl_setup=2,

From 6b2383a9d8b3f170adba98b384dcc4b29acd0ddf Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Tue, 21 Feb 2017 15:13:18 +0100
Subject: [PATCH 2/3] minor adjustments

---
 mitmproxy/connections.py        | 5 +++--
 mitmproxy/proxy/protocol/tls.py | 2 --
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/mitmproxy/connections.py b/mitmproxy/connections.py
index 6d4d648f1..f914c7d27 100644
--- a/mitmproxy/connections.py
+++ b/mitmproxy/connections.py
@@ -112,9 +112,10 @@ class ClientConnection(tcp.BaseHandler, stateobject.StateObject):
             tls_version=None,
         ))
 
-    def convert_to_ssl(self, *args, **kwargs):
-        super().convert_to_ssl(*args, **kwargs)
+    def convert_to_ssl(self, cert, *args, **kwargs):
+        super().convert_to_ssl(cert, *args, **kwargs)
         self.timestamp_ssl_setup = time.time()
+        self.mitmcert = cert
         sni = self.connection.get_servername()
         if sni:
             self.sni = sni.decode("idna")
diff --git a/mitmproxy/proxy/protocol/tls.py b/mitmproxy/proxy/protocol/tls.py
index c174b0033..08ce53d06 100644
--- a/mitmproxy/proxy/protocol/tls.py
+++ b/mitmproxy/proxy/protocol/tls.py
@@ -465,8 +465,6 @@ class TlsLayer(base.Layer):
         self.log("Establish TLS with client", "debug")
         cert, key, chain_file = self._find_cert()
 
-        self.client_conn.mitmcert = cert
-
         if self.config.options.add_upstream_certs_to_client_chain:
             extra_certs = self.server_conn.server_certs
         else:

From 786cd214d64ed67668e89033576dc75f3e80169a Mon Sep 17 00:00:00 2001
From: Thomas Kriechbaumer <thomas@kriechbaumer.name>
Date: Tue, 21 Feb 2017 20:57:54 +0100
Subject: [PATCH 3/3] update compat

---
 mitmproxy/io_compat.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mitmproxy/io_compat.py b/mitmproxy/io_compat.py
index d299b973a..c12d2098d 100644
--- a/mitmproxy/io_compat.py
+++ b/mitmproxy/io_compat.py
@@ -88,12 +88,12 @@ def convert_019_100(data):
 
 def convert_100_200(data):
     data["version"] = (2, 0, 0)
-    data["client_conn"]["mitmcert"] = None
     return data
 
 
 def convert_200_300(data):
     data["version"] = (3, 0, 0)
+    data["client_conn"]["mitmcert"] = None
     return data